The CodePlex Foundation: First Impressions (and Recommendations)

Well, it’s been a busy week in Lake Wobegon, hasn’t it? First, the Wall Street Journal broke the story that Microsoft had unwittingly sold 22 patents, not to the Allied Security Trust (which might have resold them to patent trolls), but to the Open Inventions Network. A few days later, perhaps sooner than planned, Microsoft announced the formation of a new non-profit organization, the CodePlex Foundation, with the mission of “enabling the exchange of code and understanding among software companies and open source communities.”

Not surprisingly, more articles were written about the apparent snookering of Microsoft by AST and OIN than about the new Foundation. But while the tale of the 22 patents is now largely over, the CodePlex story is just beginning. Microsoft says that its goal for the new Foundation is to create an open and neutral environment, and that the formation documents posted and governance structure described at the CodePlex Foundation site can provide a foundation for such an organization. The CodePlex site also makes clear that the Bylaws you can find there are just a starter set, stating, “Our governance documents are deliberately sparse, because we expect them to change.”

That’s good to hear, because I’ve reviewed all of the material at the CodePlex site, and I think that quite a bit of the governance structure will need to change before CodePlex can expect to attract broad participation.

Over the past 22 years, I’ve helped structure scores of open, consensus based consortia and foundations, and represented over 100 in all (disclosure: they include the Linux Foundation; a full list can be found here). In this blog entry, I’ll show where I think the legal and governance structure of CodePlex has wandered off the open path, and offer specific recommendations for how the structure could be changed to give people (other than Microsoft business partners) confidence that CodePlex will be an organization worth joining.

Since there’s a lot of ground to cover, to make it an easier read I’ll use the self-interview approach that I’ve picked up from Steve O’Grady over at RedMonk.

Q: What’s the sixty thousand foot guidance on how to set up an organization that will inspire confidence that it’s safe to join?

A: It’s all about three closely related factors: appearances, control mechanisms, and broad support. What you want to do is to create a structure that you demonstrably _can’t_ control. If you claim that you want the organization you launch to be neutral, and then people find “gotchas” in the documents, you’ve lost the credibility war on the first day of battle.

It also helps enormously to launch with multiple partners, rather than try to add them later after people are no longer paying attention. You’ll never get more press than on the day you do your public launch, and if both competitors as well as allies are standing next to you on the stage as co-founders, that sends a powerful message that the organization really is not under any individual company's control.

For this reason, new organizations traditionally operate in stealth mode until they sign up an impressive roster of co-founders, so that people pay attention, and figure that there is broad industry support for what you want to accomplish. If instead you’re out there all alone, then people wonder why that’s so.

In this case, Microsoft launched without any co-sponsors (it has been theorized by many that the launch date was accelerated to offset the adverse publicity generated by the disclosure of the sale of the 22 patents), which I think was a mistake. If you go through the CodePlex site, you also learn that, while additional sponsors will be welcome, Microsoft has provided $1 million in funding for the first year’s operation. Microsoft will also provide the staff that will run the organization.

While it’s good that Microsoft is willing to provide so much economic support in times like these, it’s not helpful in building trust that the organization really will be independent and neutral. For better or worse, if all of the money and all of the staff come from one company, it will be hard for most folks to believe that CodePlex it will really be neutral in action.

Perhaps most significantly, when you go through the formation documents in greater detail, you also start running into “gotchas.” Some of these can be easily changed, and perhaps were meant to be open for discussion. But others (such as the decision not to form CodePlex as a membership organization) are so fundamental that I expect that Microsoft doesn’t intend for them to change.

The bottom line is that forming a successful consensus-based organizations is a bit like stepping through the looking glass – you win by giving things away, not by extracting value from others or controlling them. You have to create a place where people can be expected to conclude that it's safer to be a part of the organization, than to stay outside. Consequently, if it looks like you've kept too much control, the best you can hope for is to form a glorified user group. I’ve written extensively on how to form an organization that is convincingly open, for example here and here.

Q: So now let’s cover the basics; how is the Foundation set up?

A: Microsoft organized CodePlex under the non-profit laws of the State of Washington, which may be a good neutral choice, or may not. Most attorneys (myself included) aren’t familiar with Washington law, so it’s hard to tell (I always use Delaware law when forming a new non-profit, since its laws are very flexible, and most attorneys have some familiarity with it). Also, CodePlex has not been set up as a membership organization, which is very unusual for an organization operating in an area that usually relies on consensus in order to be credible.

Q: Is that good or bad?

A: In my view, it’s bad, because it means that the Board of Directors not only has complete control, but the Board is also self-perpetuating (i.e., the directors elect their own successors). Moreover, there are no term limits on how long a Board member can serve. In this kind of organization, the Board is not answerable to the participants, and the participants have no say or control at all over how the organization is managed or evolves.

Q: But as long as the Board is balanced, shouldn’t that be OK?

A: In theory, yes. And, to be fair, even in organizations (like most of the consortia I set up) where members elect the Board, almost all actions are approved by the Board, rather than the members. And in order to pay the bills, its common that those that pay more get more of the board seats. But I always try to get the founders to agree to charge smaller companies significantly less than large companies to join at a membership level with board election rights, and also to allocate board seats to achieve diversity in whatever way is relevant to the particular organization (e.g., geographically, by industry sector, to include end users, and so on).

In this case, individuals and companies that decide to participate in CodePlex won’t be able to vote for the directors at all. At minimum, this means that CodePlex will have to work very hard to convince others that the Board really is balanced, and therefore will look out for the best interests of all stakeholders, and not just the company that is paying all of the bills.

Q: Is there any way to tell from the documents how likely that will be?

A: There’s one provision that particularly concerns me. Currently, the Board has six members, and the Bylaws provide that the successor board that will be appointed within 100 days will have only five members – that’s a very small board indeed.

Q: Is that a problem?

A: In my view, very much so. Ordinarily, when you form an organization that will be consensus based and will need to satisfy many constituencies, you want to have a board that is large enough to provide lots of different voices at the table, without making it so large that it becomes unworkable. Well, if you start to think about balance, what would be the best you could achieve with a Board of five?

I wouldn’t expect that the number of community representatives will outnumber the corporate representatives, so that means we could expect at least two corporate representatives besides Microsoft, and therefore no more than two community representatives. Out of the entire open source community, how would you allocate those two seats? One to a staff representative from, say, Mozilla, and one to an individual developer? If so, that means that there would be no room for a government representative, or an academic, or a standards community representative, or an end-user. Some of these groups are much more under represented in open source projects than software vendors, and also have a lot to gain from an organization like this – as well as a lot to share with the other members.

No matter how you slice it, you just can’t get real representation of a market and user sector as diverse and broad as open source with a board this small.

Q: Can’t the new board just change the number if it’s too small?

A: Yes and no. Under the Bylaws, it takes a two-thirds vote of all directors serving in order to enlarge the Board. That means that it would take 4 out of 5 directors to add any extra seats. So if Microsoft directly or indirectly controls only two seats (e.g., if it holds one seat, and a sympathetic business partner holds another), they could block the Board from enlarging itself - ever. Moreover, the permanent board will be divided into three classes – one director will have a two-year term, two will have three-year terms, and two will have four-year terms (terms will be for three years thereafter). This is unusually long, and further insures that whatever Microsoft puts in place at the end of the 100 day planning period will have a very long life indeed. For all of these reasons, I’d say that in order for CodePlex to be credible, it will be essential for the permanent Board to be larger and more diverse that the initial Bylaws permit.

Q: The CodePlex Web site stresses that Microsoft will be taking recommendations from anyone and everyone. More specifically, it says:

Our Board of Directors is an interim board. While we've worked hard to see that the board has a community voice as well as a partner voice, we think one of the board's primary missions is to act as a search committee to find a permanent board of directors that brings representation from commercial software companies and open source communities such that all parties feel confident the board can fairly represent their views.

Q: Doesn’t that help?

A: Yes, it certainly does, but we’ll need to wait and see whom they pick. If you look at the list of interim Board members, the only people that aren’t Microsoft employees are Miguel de Icaza (the business partner voice), and Shaun Bruce Walker, of DotNetNuke (the community voice).

Miguel is a very skilled open source manager, but Novell has had a rough ride these last few years, and its relationship with Microsoft has been very important to growing revenue and to its continuing survival. And Shaun’s brief bio at the CodePlex site reads in part:

Shaun is the original creator of DotNetNuke®, an open source web application framework and web content management system for ASP.NET which has spawned the largest and most active open source developer community native to the Microsoft platform (700,000 members and 6.5 million downloads).

That doesn’t mean that Shaun isn’t a good, community kind of guy, but there certainly are many community representatives that Microsoft could have chosen that have no strong ties to the Microsoft ecosystem at all.

Given that gaining trust for openness has a lot to do with appearances, Microsoft would have been smart to have chosen people with no ties to Microsoft at all – especially given that the Microsoft representatives on the interim board, acting alone, will be able to vote in the permanent, self-perpetuating Board.

Q: But isn’t there a Board of Advisors as well?

A: That’s so (although I note that the Bylaws say that CodePlex “may” rather than “shall” have a BoA – not a good call from the appearances perspective). But note that the Bylaws say that the Board of Directors has no obligation to consult with the BoA or follow its advice. Moreover, the actual duties of the BoA can be set by the Board by vote – they don’t need to appear in the Bylaws at all. So far, the CodePlex Web site doesn’t display the minutes of any Board of Directors meetings, so we don’t know whether the BoA may already have a charter (some, but far from all, consortia and open source foundations post Board minutes on their public Web sites. It would be a good sign if CodePlex decides to follow the more open practice of posting them).

The initial Board of Advisors is made up about 50 – 50 by Microsoft and non-Microsoft employees (you can find the full list in the right hand column on this page, but without links to their biographies so far). But again, that’s only before you look at the past and current relationships of some of the non-Microsoft employees. Stephen Walli, for example, is a former employee of Microsoft, and has done consulting work for them since then. Stephe is a great guy, and a personal friend of mine. In fact, I'm confident that he will provide a strong and independent voice, so I think he’s a great person to have on the BoA. But again, many other people don't know Stephe, so if Microsoft really wants to build confidence in its intentions, it should recruit people with no ties at all. Moreover, with a Board of Advisors, you want to bring in outside voices, not replicate those that are already represented on the Board of Directors. So there really isn’t any reason to have more than one or two Microsoft employees on the BoA, if indeed any at all. If the permanent Board of Advisors still has multiple Microsoft representatives, that won’t be a good sign.

Q: The CodePlex site says that it “is a 501(c)(6) organization.” Does that help?

A: Not yet – and possibly seeking tax exemption wasn’t even the original intention, since I note that the current Bylaws don’t include the provisions that the IRS would expect to see there in a tax exempt organization.

CodePlex may now hope to become tax exempt in the United States under IRS Section 501(c)(6) (i.e., as a trade association, which is the right exemption for them to shoot for), but I can’t believe that it has been granted that status yet. An applicant needs to fill out a detailed description of what it will do, how it will be structured, what its budget will be, and what its activities and charter will be. All of these details are to one extent or another yet to be determined. After CodePlex does nail down these details and send the application in, the IRS will take four to six months to give a first response (usually a list of requests for further information).

My firm and I have submitted applications for scores of organizations, and have sometimes had to go to great lengths to satisfy the IRS that an applicant meets the tax exemption criteria if it looks like a single member might be able to exercise too much influence. As CodePlex is currently structured, I think that Microsoft will have a tough time getting tax exempt status at all, because the IRS will not approve an organization that it believes has been formed to be too much for the unique benefit of one company, rather than for the benefit of the industry identified in the application.

In order to make that decision, the IRS looks not only to what the espoused mission of the organization is stated to be, but to what it can infer from the other details in the application. Typically, the IRS looks at who controls the Board, who provides the funding, and similar factors. This isn’t to say that CodePlex won’t be able to gain tax exemption, but I believe that it will need to make a lot of changes to what I see there now if is now before it fills out its application and submits it.

Q: What about the CodePlex mission? How does that sound?

A: I had to smile a bit when I listened to the (scripted) interview at the site. The premise seems to be that (a) “some companies” have “culture” problems that keep them out of open source projects, or are “uneasy” with the “intellectual property” rules of open source foundations; (b) that “more companies” would participate “as much as they should” if better practices, and intellectual property tools, were developed; and (c) that a place is needed to bring “such companies” and open source developers together. It’s clear that all of these statements would be true if you substituted “Microsoft” for the phrase, “some companies,” but I haven’t noticed that any of these factors has been a problem for most other software vendors.

This slide from the interview will give you the flavor:

· Commercial software developers currently under-participate in open source projects
- Cultural differences
- Differing development methodologies
- Differing perspectives on copyrights and patents
- Differing perspectives on licensing
· No other foundation is dedicated to changing that situation

Some of these points would have been valid six years ago. But you’d have to look pretty hard today to find a major software vendor that isn’t significantly involved in open source activities. And almost all of whatever friction that may once have existed between employees of commercial vendors and solo developers mixing it up in open source projects has disappeared. Today, there’s a good, synergistic relationship, with employers realizing that it’s in their best interests to encourage their employees to participate in projects (and not try to closely control those employees when they do), and individual developers realizing that rising through the ranks of an open source project is a great way to get high-paying consulting gigs, as well as full time jobs that provide lots of freedom.

Q: What about the licensing tools posted at the site?

A: They’re not bad, if what you want to do is convey the right to create code that can be distributed under any flavor of open source license. But why would any developer or contributor want to sign such an all purpose license? Lines of code are contributed to defined projects, not to some code bank where they can be archived for posterity.

Developers want to know what the specific license is that their code will be subject to when someone uses it, and usually to have their name in the header of the contributed file as well. None of this is provided for in the templates that CodePlex is encouraging people to use, and the interview clearly states that promoting these licenses will be a goal of the organization. This line of text on the “Contributions, Licenses and Patents” slide set caught my eye as well:

Foundation will extend rights to all downstream developers and users of the contributed code

That’s “downstream” as in “but not upstream,” even though the next bullet reads that CodePlex will be “License-agnostic.” Those two bullets are inherently contradictory.

And there’s another problem here: the Bylaws again require a supermajority Board vote to change the text of these template contribution and assignment agreements from the way they read right now. If this was just a starter set of Bylaws, there would be no need for them to call out this particular type of decision for such a vote, so presumably this provision is also not meant to change.

Q: Why do these templates matter?

A: In two ways. First, the CodePlex site says that the Foundation will be promoting their use throughout the industry. Second, the site states that CodePlex is intended not only to develop and promulgate best practices, but to host open source projects as well. Unless CodePlex is set up in a truly neutral fashion, that will lead many people to worry that Microsoft wants to create and legitimize “their” kind of development environment, where Microsoft can feel safe launching projects (all of the initial projects under consideration are Microsoft projects) under IPR rules, and under licenses, that fit their view of what open source should be all about.

Whether it likes it or not, Microsoft is likely to be held to a higher standard with CodePlex than another company might, due to it’s historical hostility to open source, and to it’s current mixed messaging on the same topic. I expect that unless significant changes are made, many people will conclude that CodePlex is intended to become some sort of “alternative universe” of open source development, populated by Microsoft business partners, where only the more limited types of open source licenses are considered to be good options for developers to use. Those licenses are fine for some purposes, but most developers – and even commercial companies - don’t choose them today. If CodePlex flourishes under this type of regime, I won't be surprised if Microsoft (as would most other vendors in the same situation) begins to tell customers that this type of patent-friendly environment is what open source software is “really” all about.

When you combine this with the assertions at the CodePlex site that a primary goal is to get more software vendor employees participating in open source projects across the board, you can easily see why the community might fear that CodePlex has been formed in part to recruit legions of new project participants that will have a new and different agenda than the existing members of the already existing projects that they join.

Q: So what’s your bottom line?

A: There are a lot of games you can play when structuring an organization to make it look open, but still be sure that the founders will have a lot of control for a long time. It may simply be that Microsoft hired a firm to help it structure CodePlex that went overboard on trying to protect its client. But either way, the CodePlex documents have been set up in such a way that the Foundation’s Board of Directors will have no accountability to anyone who participates in CodePlex. As they exist today, they will also ensure that Microsoft will have ongoing veto power for many years to come even if they have only one board seat, and a friend in another.

In short, I think that the materials at the CodePlex site give a lot of cause for legitimate concern, both legally and from a public perception point of view. If Microsoft really wants CodePlex to attract more than its business partners as participants, I think that it needs to go back to the drawing board and make some drastic changes. Hopefully this is just a stumble, and they will be open to suggestions to do just that.

Q: What would you recommend?

A: If Microsoft really wants the open source community, as well as Microsoft’s competitors, to believe that CodePlex is intended to be a safe, neutral place for them to spend their time and efforts, this would be my “must change” list:

1. Provide that the Board will have no fewer than eleven members.

2. Provide that no company and its affiliates (including Microsoft) can have more than one representative on the Board of Directors or Board of Advisors.

3. Provide for a distribution of Board seats by category in order to ensure a truly representative body. That distribution might mean only two seats for commercial software developers, two for open source foundation project managers (a Linux kernel developer lead would be a good choice for one), one for a large enterprise software user, one for a small to medium enterprise (SME), one for a government agency representative (this seat might need to be non-voting), and so on. By a simple majority vote, the Board would be able to change this distribution over time as the marketplace continues to evolve.

4. Establish appropriate membership classes with the right to nominate and elect directors.

5. Commit to an open membership policy, such that anyone can join, subject to meeting minimal, non-discriminatory eligibility criteria (I expect that this is already Microsoft's intention).

There are some additional changes that the Interim Board would be wise to consider implementing as well, each of which would greatly increase credibility and encourage participation:

1. Take back three quarters of the initial funding, and charge corporate members a fee to participate, in order to ensure that the organization is not dependent solely on Microsoft to pay the bills.

2. Provide for the formation of committees and working groups that will carry out the actual work of CodePlex within the strategic plan established by the Board. These committees would develop and adopt deliverables that would be subject to final approval by the Board of Directors, but the Board’s role would be limited to ensuring that proper processes have been followed, and that final deliverables are consistent with the initial charters of the working groups that created them.

3. Hire an outside management company to provide staff, rather than using Microsoft employees.

Yes, that’s a lot of changes. But if there really is a need for individual developers and commercial vendors to get together in a new organization, then community members will need to feel like CodePlex is a safe place to be. Right now, I can’t see that happening without some serious rethinking of the entire governance structure as currently proposed.